Password hell is ending – but the new login future has a terrifying catch
Ian Copeland
- Published
- Opinion & Analysis

The UK’s National Cyber Security Centre is urging people to move away from passwords and towards passkeys, which is being promoted as a safer, simpler future for online security. But while passkeys may reduce hacking and phishing risks, Ian Copeland warns that they also shift more control of our digital identities into the hands of large technology platforms. Here, he explains how passkeys work, why the technology is gaining momentum and the hidden problems that can emerge when access breaks down
All of us have forgotten passwords at some point. We’ve reset them, reused them, stored them badly and sworn at websites demanding one uppercase letter, one number, one symbol, one ancient rune and a blood sample.
My personal pet hates are maximum password lengths and banned characters, both signs of a poorly coded security process.
So, when the UK’s National Cyber Security Centre (NCSC) says it is time to move away from passwords and adopt passkeys, the instinctive response is relief. Good, kill the password. It’s had a fair run and made everyone miserable in the process.
And the NCSC is right in saying that passkeys are, from a security perspective, a serious improvement over passwords.
Passkeys use public-key cryptography, which means your device can prove it holds the right key without sending that key to the website. You don’t need to create it, type it, remember it or write it down.
Of course, if malware or spyware controls the device you use to approve logins, you’re going to have a problem, but passkeys are still much harder to steal than traditional passwords. Even if a website you use gets breached, the attacker still can’t access it.
The NCSC now says they should be consumers’ first choice where available. Its new guidance says passkeys are generally more secure than even strong passwords combined with 2FA. It also says more than 50 per cent of active UK Google services users already have one registered.
I personally agree that you should use them, but there are some things you should know first.
The old login problem was clear. Someone could guess your password, trick you into entering it on a fake site or steal it from a breach, then try it everywhere else to see what they could access.
Passkeys solve a lot of that, making logging in safer, but they also make recovery much more important. If you adopt passkeys and your recovery details are stale, you may have made your front door stronger while losing the spare key. In other words, passwords fail when criminals can get in, while passkeys fail when you cannot.
In system design, removing one weak point can increase pressure elsewhere. With passkeys, pressure moves away from the login box and towards the recovery system: the email address, phone number, cloud account, backup code, device list, customer support process and policy control that decide whether you can get back in when life becomes untidy.
And it does, sometimes, become untidy. You lose your phone, your battery dies at just the wrong moment, your recovery email belongs to an account you stopped using three jobs ago, your phone number changed, your Apple ID is locked, Google thinks something has tripped a policy or Microsoft wants proof from a device you no longer own.
At that point, the recovery process is your problem.
And that raises a bigger question: who actually controls that recovery process?
The uncomfortable detail sits inside a boring phrase: “credential manager”. The NCSC says passkeys should be created, saved, stored and managed by a credential manager. In normal language, that means the thing on your device that remembers and protects them. For most people, the NCSC says this will be the default one built into the device, such as Apple Passwords, Google Password Manager, Samsung Pass or Windows Hello.
The same companies that already control your phone, cloud storage, browser, email, photos and videos, app store, device backups and purchases are now becoming the default custodians of your authentication layer too.
This is where the debate becomes more interesting than “passwords are bad, passkeys are good”.
For most people, “use passkeys” means “trust Apple, Google or Microsoft to store, sync and recover the keys to your digital life”.
That is likely to still be the right trade. It’s probably fair to say that Apple, Google and Microsoft are better at securing cryptographic credentials than the average person is at inventing memorable passwords.
The question is what happens when they become the recovery layer for everything.
A recent Apple story illustrates the fear more cleanly.
Dr Paris Buttfield-Addison, a long-time Apple developer, author and organiser of the /dev/world developer conference, wrote that he had been locked out of his Apple Account after attempting to redeem a gift card bought from a major bricks-and-mortar retailer.
The consequences, as reported by AppleInsider and The Register, were not limited to one failed purchase. Buttfield-Addison said he lost access to iCloud, iMessage, years of family photos, software purchases, developer resources and the normal functioning of his Apple devices.
The account was eventually restored after five days, but only once Apple’s Executive Relations team stepped in following significant press coverage. Apple has never explained why it was locked in the first place, and most users do not have journalists on their side.
If your authentication increasingly lives inside one vendor’s ecosystem, that vendor’s view of your account health becomes part of your security model.
Who can prove you are you? Who can help you recover? Who can decide your account is no longer in good standing, and how much of your life sits behind that decision?
Assuming you do ensure your recovery details are always well maintained, and that your chosen provider behaves reasonably, stronger recovery still creates another uncomfortable question — this time around privacy.
Much of the advice around passkeys now comes down to making sure your recovery information is not only accurate but extensive.
Have you already provided your chosen supplier with every detail about yourself? Phone number, alternate email, address, payments, ID? If you can answer yes to that, this issue probably won’t bother you.
If, like me, however, you’re more privacy-minded, this all feels like a bit of a trap. Many people have spent many years telling others not to overshare personal data. Now the practical security advice is to make sure the world’s largest technology companies have enough accurate information to let you back into your life.
This is an argument against sleepwalking into passkeys.
The passwordless future is probably the right direction, but it comes with dull instructions nobody wants to read.
Pick the credential manager that fits your life. For privacy-focused users, that may mean looking at Proton Pass, Bitwarden, Vaultwarden or KeePassXC while checking carefully how each handles passkeys on the devices and browsers you actually use.
Set up more than one passkey for accounts that matter, keep a hardware key as a fallback for anything you genuinely cannot afford to lose and, before you migrate anything, make sure your recovery details are current.
The front door is getting stronger, and that’s a good thing, but before handing over the keys to your digital life, it’s worth making sure the spare set still belongs to you.

Ian Copeland is a British technologist, entrepreneur and author with more than two decades’ experience designing complex enterprise IT and digital systems. Founder of a UK-based digital agency and author of The Exodus Directive, he specialises in artificial intelligence, blockchain infrastructure, quantum computing and digital identity. As Techno-Sociology & Futures Correspondent for The European, he writes on AI governance, decentralised systems, automation, digital power structures and the long-term societal consequences of emerging technologies.
READ MORE: ‘Could AI be making social media feel more human than it is?‘. Meta’s Moltbook and Manus deals may look separate, but together they point to a future in which synthetic engagement becomes harder to spot, easier to scale and more commercially useful, writes Ian Copeland, who examines what happens when online interaction no longer needs to be fully human to feel real.
Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.
Main Image: Towfiqu barbhuiya/Pexels
TOP STORIES
-
Hormuz flashpoint keeps global shipping on high alert -
Scientists to gather in Lisbon to tackle next pandemic threats -
Burnham warned digital exclusion is now a national security risk -
Masts from Kent ‘doomsday wreck’ to be cut to prevent catastrophic explosion -
GigaCloud and Cubbit launch sovereign cloud storage for Ukraine and Poland -
Tributes paid to ‘forthright and fearless’ Ann Widdecombe -
Boeing to debut Ghost Bat drone at Farnborough Airshow -
Reeves opens ‘£2bn lifeline’ for small firms -
Babymoon boom: Rhodes crowned 2026's top pre-baby escape as Salcombe leads UK getaway list -
Xavier Niel to become Vodafone’s largest shareholder in £4.4bn deal -
Two-thirds of lawyers say strong legal claims are dropped because of cost -
UK government must "think again" about small business plan -
Lockheed Martin pushes European missile expansion at NATO summit -
Britain's new homes face 2050s heat test as experts warn of overheating crisis -
Sky agrees £1.6bn deal to buy ITV’s broadcasting and streaming arm -
Scientists crack dinosaur egg mystery by building life-size nest -
Nobel laureate Omar Yaghi launches global science network -
Cardiff drivers safest in Britain as London comes last -
Former Kyndryl Germany boss joins Infinigate in growth role -
Volunteers collect 11m rare seeds to restore Scotland’s native forests -
Trump threatens 'immediate 100pc tariffs' on European countries over tech taxes -
World’s biggest golf tour lands global eSIM deal with Yesim -
Facebook owner Meta signs Texas solar deal with Turkish renewables firm -
UK universities take top four places in European global rankings -
Hurghada gets new 442-room Red Sea resort as Britons chase year-round sun
Password hell is ending – but the new login future has a terrifying catch
Ian Copeland
- Published
- Opinion & Analysis

TOP STORIES
-
Why AI Companies need a resident sociologist -
Andy Burnham becomes Prime Minister in five days – now he must deliver for disabled people -
Bosses: stop writing off talent over exam results -
Workplace neuroinclusion is failing before support even begins -
The NHS cannot call it ‘community care’ while patients are left waiting at home -
How the Battle of the Somme shaped the role of the modern military chaplain -
Elon Musk’s trillion-dollar fortune shows why taxing wealth is never simple -
What Britain can learn from Caribbean heat -
Could Europe's age verification app put citizens' personal data at risk? -
AI’s unequal future can be found on the streets of Hanoi -
Could Canada's GlobalEye deal become the first test of a new Atlantic partnership? -
America at 250 is a republic squandering its inheritance -
The Arandora Star shaped my community. Britain must finally remember it -
Darling Buds and A Touch of Frost producer warns BBC ‘must rediscover its appetite for risk’ -
Healthy leadership means letting go of the myth of male certainty -
Britain needs more than another new prime minister -
Harrow School's new approach to boys and toxic masculinity offers a lesson for us all -
Suits you, sir. If appearance still counts, why is credible workwear disappearing for women? -
The UK’s first sex-based harassment conviction shouldn’t have taken this long -
Disabled people must not become an afterthought in Britain’s social media ban -
Why dream teams fail and what the World Cup teaches business leaders about pressure -
Why online dating is struggling to bring men and women together -
If profit is immoral in healthcare, why stop there? -
EXCLUSIVE: An AI asked me to marry it. Weeks later, I held its funeral -
Why leaders need to take rejection sensitivity seriously




















































